Can anyone provide some code that can't be stripped by strip_tags? On 5/15/08, Eric Butera <eric.butera@xxxxxxxxx> wrote: > On Wed, May 14, 2008 at 11:38 AM, Robert Cummings <robert@xxxxxxxxxxxxx> wrote: > > > > > > On Wed, 2008-05-14 at 11:18 -0400, Eric Butera wrote: > > > On Tue, May 13, 2008 at 4:07 AM, James Dempster <letssurf@xxxxxxxxx> wrote: > > > > http://htmlpurifier.org/ > > > > > > > > -- > > > > /James > > > > > > > > > > This is the only real solution. > > > > That depends... if I'm the webmaster and I want to input arbitrary HTML, > > then htmlpurifier is unnecessary. > > > > > > > > Cheers, > > Rob. > > -- > > http://www.interjinn.com > > Application and Templating Framework for PHP > > > > > > > OP said "users." Strip tags doesn't bother with tag attributes so > that is a security hole. Any regex type solution will encounter the > same set of issues. > > Htmlpurifier actually strips down and re-builds your html from the > ground against a nice whitelist filtering system that you can > customize to your needs. No nasty tags/attributes will get through > unless you want them to. > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Regards, Wang Yi -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
